+++ /dev/null
-/*
- * Copyright (c) 1999-2001,2005-2012 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * sslKeyExchange.c - Support for key exchange and server key exchange
- */
-
-#include "ssl.h"
-#include "sslContext.h"
-#include "sslHandshake.h"
-#include "sslMemory.h"
-#include "sslDebug.h"
-#include "sslUtils.h"
-#include "sslCrypto.h"
-#include "sslRand.h"
-#include "sslDigests.h"
-
-#include <assert.h>
-#include <string.h>
-
-#include <stdio.h>
-#include <utilities/SecCFRelease.h>
-#include <corecrypto/ccdh_gp.h>
-
-#ifdef USE_CDSA_CRYPTO
-//#include <utilities/globalizer.h>
-//#include <utilities/threading.h>
-#include <Security/cssmapi.h>
-#include <Security/SecKeyPriv.h>
-#include "ModuleAttacher.h"
-#else
-#include <AssertMacros.h>
-#include <Security/oidsalg.h>
-#if APPLE_DH
-
-#if TARGET_OS_IPHONE
-#include <Security/SecRSAKey.h>
-#endif
-
-static OSStatus SSLGenServerDHParamsAndKey(SSLContext *ctx);
-static size_t SSLEncodedDHKeyParamsLen(SSLContext *ctx);
-static OSStatus SSLEncodeDHKeyParams(SSLContext *ctx, uint8_t *charPtr);
-
-#endif /* APPLE_DH */
-#endif /* USE_CDSA_CRYPTO */
-
-// MARK: -
-// MARK: Forward Static Declarations
-
-#if APPLE_DH
-#if USE_CDSA_CRYPTO
-static OSStatus SSLGenServerDHParamsAndKey(SSLContext *ctx);
-static OSStatus SSLEncodeDHKeyParams(SSLContext *ctx, uint8_t *charPtr);
-#endif
-static OSStatus SSLDecodeDHKeyParams(SSLContext *ctx, uint8_t **charPtr,
- size_t length);
-#endif
-static OSStatus SSLDecodeECDHKeyParams(SSLContext *ctx, uint8_t **charPtr,
- size_t length);
-
-#define DH_PARAM_DUMP 0
-#if DH_PARAM_DUMP
-
-static void dumpBuf(const char *name, SSLBuffer *buf)
-{
- printf("%s:\n", name);
- uint8_t *cp = buf->data;
- uint8_t *endCp = cp + buf->length;
-
- do {
- unsigned i;
- for(i=0; i<16; i++) {
- printf("%02x ", *cp++);
- if(cp == endCp) {
- break;
- }
- }
- if(cp == endCp) {
- break;
- }
- printf("\n");
- } while(cp < endCp);
- printf("\n");
-}
-#else
-#define dumpBuf(n, b)
-#endif /* DH_PARAM_DUMP */
-
-#if APPLE_DH
-
-// MARK: -
-// MARK: Local Diffie-Hellman Parameter Generator
-
-/*
- * Process-wide server-supplied Diffie-Hellman parameters.
- * This might be overridden by some API_supplied parameters
- * in the future.
- */
-struct ServerDhParams
-{
- /* these two for sending over the wire */
- SSLBuffer prime;
- SSLBuffer generator;
- /* this one for sending to the CSP at key gen time */
- SSLBuffer paramBlock;
-};
-
-
-#endif /* APPLE_DH */
-
-// MARK: -
-// MARK: RSA Key Exchange
-
-/*
- * Client RSA Key Exchange msgs actually start with a two-byte
- * length field, contrary to the first version of RFC 2246, dated
- * January 1999. See RFC 2246, March 2002, section 7.4.7.1 for
- * updated requirements.
- */
-#define RSA_CLIENT_KEY_ADD_LENGTH 1
-
-static OSStatus
-SSLEncodeRSAKeyParams(SSLBuffer *keyParams, SSLPubKey *key, SSLContext *ctx)
-{
-#if 0
- SSLBuffer modulus, exponent;
- uint8_t *charPtr;
-
-#ifdef USE_CDSA_CRYPTO
- if(err = attachToCsp(ctx)) {
- return err;
- }
-
- /* Note currently ALL public keys are raw, obtained from the CL... */
- assert((*key)->KeyHeader.BlobType == CSSM_KEYBLOB_RAW);
-#endif /* USE_CDSA_CRYPTO */
-
- err = sslGetPubKeyBits(ctx,
- key,
- &modulus,
- &exponent);
- if(err) {
- SSLFreeBuffer(&modulus);
- SSLFreeBuffer(&exponent);
- return err;
- }
-
- if ((err = SSLAllocBuffer(keyParams,
- modulus.length + exponent.length + 4, ctx)) != 0) {
- return err;
- }
- charPtr = keyParams->data;
- charPtr = SSLEncodeInt(charPtr, modulus.length, 2);
- memcpy(charPtr, modulus.data, modulus.length);
- charPtr += modulus.length;
- charPtr = SSLEncodeInt(charPtr, exponent.length, 2);
- memcpy(charPtr, exponent.data, exponent.length);
-
- /* these were mallocd by sslGetPubKeyBits() */
- SSLFreeBuffer(&modulus);
- SSLFreeBuffer(&exponent);
- return errSecSuccess;
-#else
- CFDataRef modulus = SecKeyCopyModulus(SECKEYREF(key));
- if (!modulus) {
- sslErrorLog("SSLEncodeRSAKeyParams: SecKeyCopyModulus failed\n");
- return errSSLCrypto;
- }
- CFDataRef exponent = SecKeyCopyExponent(SECKEYREF(key));
- if (!exponent) {
- sslErrorLog("SSLEncodeRSAKeyParams: SecKeyCopyExponent failed\n");
- CFRelease(modulus);
- return errSSLCrypto;
- }
-
- CFIndex modulusLength = CFDataGetLength(modulus);
- CFIndex exponentLength = CFDataGetLength(exponent);
- sslDebugLog("SSLEncodeRSAKeyParams: modulus len=%ld, exponent len=%ld\n",
- modulusLength, exponentLength);
- OSStatus err;
- if ((err = SSLAllocBuffer(keyParams,
- modulusLength + exponentLength + 4)) != 0) {
- CFReleaseSafe(exponent);
- CFReleaseSafe(modulus);
- return err;
- }
- uint8_t *charPtr = keyParams->data;
- charPtr = SSLEncodeSize(charPtr, modulusLength, 2);
- memcpy(charPtr, CFDataGetBytePtr(modulus), modulusLength);
- charPtr += modulusLength;
- charPtr = SSLEncodeSize(charPtr, exponentLength, 2);
- memcpy(charPtr, CFDataGetBytePtr(exponent), exponentLength);
- CFRelease(modulus);
- CFRelease(exponent);
- return errSecSuccess;
-#endif
-}
-
-static OSStatus
-SSLEncodeRSAPremasterSecret(SSLContext *ctx)
-{ SSLBuffer randData;
- OSStatus err;
-
- if ((err = SSLAllocBuffer(&ctx->preMasterSecret,
- SSL_RSA_PREMASTER_SECRET_SIZE)) != 0)
- return err;
-
- assert(ctx->negProtocolVersion >= SSL_Version_3_0);
-
- SSLEncodeInt(ctx->preMasterSecret.data, ctx->clientReqProtocol, 2);
- randData.data = ctx->preMasterSecret.data+2;
- randData.length = SSL_RSA_PREMASTER_SECRET_SIZE - 2;
- if ((err = sslRand(&randData)) != 0)
- return err;
- return errSecSuccess;
-}
-
-/*
- * Generate a server key exchange message signed by our RSA or DSA private key.
- */
-
-static OSStatus
-SSLSignServerKeyExchangeTls12(SSLContext *ctx, SSLSignatureAndHashAlgorithm sigAlg, SSLBuffer exchangeParams, SSLBuffer signature, size_t *actSigLen)
-{
- OSStatus err;
- SSLBuffer hashOut, hashCtx, clientRandom, serverRandom;
- uint8_t hashes[SSL_MAX_DIGEST_LEN];
- SSLBuffer signedHashes;
- uint8_t *dataToSign;
- size_t dataToSignLen;
- const HashReference *hashRef;
- SecAsn1AlgId algId;
-
- signedHashes.data = 0;
- hashCtx.data = 0;
-
- clientRandom.data = ctx->clientRandom;
- clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
- serverRandom.data = ctx->serverRandom;
- serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
-
- switch (sigAlg.hash) {
- case SSL_HashAlgorithmSHA1:
- hashRef = &SSLHashSHA1;
- algId.algorithm = CSSMOID_SHA1WithRSA;
- break;
- case SSL_HashAlgorithmSHA256:
- hashRef = &SSLHashSHA256;
- algId.algorithm = CSSMOID_SHA256WithRSA;
- break;
- case SSL_HashAlgorithmSHA384:
- hashRef = &SSLHashSHA384;
- algId.algorithm = CSSMOID_SHA384WithRSA;
- break;
- default:
- sslErrorLog("SSLVerifySignedServerKeyExchangeTls12: unsupported hash %d\n", sigAlg.hash);
- return errSSLProtocol;
- }
-
-
- dataToSign = hashes;
- dataToSignLen = hashRef->digestSize;
- hashOut.data = hashes;
- hashOut.length = hashRef->digestSize;
-
- if ((err = ReadyHash(hashRef, &hashCtx)) != 0)
- goto fail;
- if ((err = hashRef->update(&hashCtx, &clientRandom)) != 0)
- goto fail;
- if ((err = hashRef->update(&hashCtx, &serverRandom)) != 0)
- goto fail;
- if ((err = hashRef->update(&hashCtx, &exchangeParams)) != 0)
- goto fail;
- if ((err = hashRef->final(&hashCtx, &hashOut)) != 0)
- goto fail;
-
- if(sigAlg.signature==SSL_SignatureAlgorithmRSA) {
- err = sslRsaSign(ctx,
- ctx->signingPrivKeyRef,
- &algId,
- dataToSign,
- dataToSignLen,
- signature.data,
- signature.length,
- actSigLen);
- } else {
- err = sslRawSign(ctx,
- ctx->signingPrivKeyRef,
- dataToSign, // one or two hashes
- dataToSignLen,
- signature.data,
- signature.length,
- actSigLen);
- }
-
- if(err) {
- sslErrorLog("SSLDecodeSignedServerKeyExchangeTls12: sslRawVerify "
- "returned %d\n", (int)err);
- goto fail;
- }
-
-fail:
- SSLFreeBuffer(&signedHashes);
- SSLFreeBuffer(&hashCtx);
- return err;
-}
-
-static OSStatus
-SSLSignServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer exchangeParams, SSLBuffer signature, size_t *actSigLen)
-{
- OSStatus err;
- uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN];
- SSLBuffer clientRandom,serverRandom,hashCtx, hash;
- uint8_t *dataToSign;
- size_t dataToSignLen;
-
- hashCtx.data = 0;
-
- /* cook up hash(es) for raw sign */
- clientRandom.data = ctx->clientRandom;
- clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
- serverRandom.data = ctx->serverRandom;
- serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
-
- if(isRsa) {
- /* skip this if signing with DSA */
- dataToSign = hashes;
- dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN;
- hash.data = &hashes[0];
- hash.length = SSL_MD5_DIGEST_LEN;
-
- if ((err = ReadyHash(&SSLHashMD5, &hashCtx)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(&hashCtx, &clientRandom)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(&hashCtx, &serverRandom)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(&hashCtx, &exchangeParams)) != 0)
- goto fail;
- if ((err = SSLHashMD5.final(&hashCtx, &hash)) != 0)
- goto fail;
- if ((err = SSLFreeBuffer(&hashCtx)) != 0)
- goto fail;
- }
- else {
- /* DSA - just use the SHA1 hash */
- dataToSign = &hashes[SSL_MD5_DIGEST_LEN];
- dataToSignLen = SSL_SHA1_DIGEST_LEN;
- }
- hash.data = &hashes[SSL_MD5_DIGEST_LEN];
- hash.length = SSL_SHA1_DIGEST_LEN;
- if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(&hashCtx, &exchangeParams)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.final(&hashCtx, &hash)) != 0)
- goto fail;
- if ((err = SSLFreeBuffer(&hashCtx)) != 0)
- goto fail;
-
-
- err = sslRawSign(ctx,
- ctx->signingPrivKeyRef,
- dataToSign, // one or two hashes
- dataToSignLen,
- signature.data,
- signature.length,
- actSigLen);
- if(err) {
- goto fail;
- }
-
-fail:
- SSLFreeBuffer(&hashCtx);
-
- return err;
-}
-
-static
-OSStatus FindSigAlg(SSLContext *ctx,
- SSLSignatureAndHashAlgorithm *alg)
-{
- unsigned i;
-
- assert(ctx->protocolSide == kSSLServerSide);
- assert(ctx->negProtocolVersion >= TLS_Version_1_2);
- assert(!ctx->isDTLS);
-
- if((ctx->numClientSigAlgs==0) ||(ctx->clientSigAlgs==NULL))
- return errSSLInternal;
-
- //FIXME: Need a better way to select here
- for(i=0; i<ctx->numClientSigAlgs; i++) {
- alg->hash = ctx->clientSigAlgs[i].hash;
- alg->signature = ctx->clientSigAlgs[i].signature;
- //We only support RSA for certs on the server side - but we should test against the cert type
- if(ctx->clientSigAlgs[i].signature != SSL_SignatureAlgorithmRSA)
- continue;
- //Let's only support SHA1 and SHA256. SHA384 does not work with 512 bits keys.
- // We should actually test against what the cert can do.
- if((alg->hash==SSL_HashAlgorithmSHA1) || (alg->hash==SSL_HashAlgorithmSHA256)) {
- return errSecSuccess;
- }
- }
- // We could not find a supported signature and hash algorithm
- return errSSLProtocol;
-}
-
-static OSStatus
-SSLEncodeSignedServerKeyExchange(SSLRecord *keyExch, SSLContext *ctx)
-{ OSStatus err;
- uint8_t *charPtr;
- size_t outputLen;
- bool isRsa = true;
- size_t maxSigLen;
- size_t actSigLen;
- SSLBuffer signature;
- int head = 4;
- SSLBuffer exchangeParams;
-
- assert(ctx->protocolSide == kSSLServerSide);
- assert(ctx->signingPubKey != NULL);
- assert(ctx->negProtocolVersion >= SSL_Version_3_0);
- exchangeParams.data = 0;
- signature.data = 0;
-
-#if ENABLE_DTLS
- if(ctx->negProtocolVersion == DTLS_Version_1_0) {
- head+=8;
- }
-#endif
-
-
- /* Set up parameter block to hash ==> exchangeParams */
- switch(ctx->selectedCipherSpecParams.keyExchangeMethod) {
- case SSL_RSA:
- case SSL_RSA_EXPORT:
- /*
- * Parameter block = encryption public key.
- * If app hasn't supplied a separate encryption cert, abort.
- */
- if(ctx->encryptPubKey == NULL) {
- sslErrorLog("RSAServerKeyExchange: no encrypt cert\n");
- return errSSLBadConfiguration;
- }
- err = SSLEncodeRSAKeyParams(&exchangeParams,
- ctx->encryptPubKey, ctx);
- break;
-
-#if APPLE_DH
-
- case SSL_DHE_DSS:
- case SSL_DHE_DSS_EXPORT:
- isRsa = false;
- /* and fall through */
- case SSL_DHE_RSA:
- case SSL_DHE_RSA_EXPORT:
- {
- /*
- * Parameter block = {prime, generator, public key}
- * Obtain D-H parameters (if we don't have them) and a key pair.
- */
- err = SSLGenServerDHParamsAndKey(ctx);
- if(err) {
- return err;
- }
- size_t len = SSLEncodedDHKeyParamsLen(ctx);
- err = SSLAllocBuffer(&exchangeParams, len);
- if(err) {
- goto fail;
- }
- err = SSLEncodeDHKeyParams(ctx, exchangeParams.data);
- break;
- }
-
-#endif /* APPLE_DH */
-
- default:
- /* shouldn't be here */
- assert(0);
- return errSSLInternal;
- }
-
- SSLSignatureAndHashAlgorithm sigAlg;
-
-
- /* preallocate a buffer for signing */
- err = sslGetMaxSigSize(ctx->signingPrivKeyRef, &maxSigLen);
- if(err) {
- goto fail;
- }
- err = SSLAllocBuffer(&signature, maxSigLen);
- if(err) {
- goto fail;
- }
-
- outputLen = exchangeParams.length + 2;
-
- if (sslVersionIsLikeTls12(ctx))
- {
- err=FindSigAlg(ctx, &sigAlg);
- if(err)
- goto fail;
-
- outputLen += 2;
- err = SSLSignServerKeyExchangeTls12(ctx, sigAlg, exchangeParams,
- signature, &actSigLen);
- } else {
- err = SSLSignServerKeyExchange(ctx, isRsa, exchangeParams,
- signature, &actSigLen);
- }
-
- if(err)
- goto fail;
-
- assert(actSigLen <= maxSigLen);
-
- outputLen += actSigLen;
-
- /* package it all up */
- keyExch->protocolVersion = ctx->negProtocolVersion;
- keyExch->contentType = SSL_RecordTypeHandshake;
- if ((err = SSLAllocBuffer(&keyExch->contents, outputLen+head)) != 0)
- goto fail;
-
- charPtr = SSLEncodeHandshakeHeader(ctx, keyExch, SSL_HdskServerKeyExchange, outputLen);
-
- memcpy(charPtr, exchangeParams.data, exchangeParams.length);
- charPtr += exchangeParams.length;
-
- if (sslVersionIsLikeTls12(ctx))
- {
- *charPtr++=sigAlg.hash;
- *charPtr++=sigAlg.signature;
- }
-
- charPtr = SSLEncodeInt(charPtr, actSigLen, 2);
- memcpy(charPtr, signature.data, actSigLen);
- assert((charPtr + actSigLen) ==
- (keyExch->contents.data + keyExch->contents.length));
-
- err = errSecSuccess;
-
-fail:
- SSLFreeBuffer(&exchangeParams);
- SSLFreeBuffer(&signature);
- return err;
-}
-
-static OSStatus
-SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
- uint8_t *signature, UInt16 signatureLen)
-{
- OSStatus err;
- SSLBuffer hashOut, hashCtx, clientRandom, serverRandom;
- uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN];
- SSLBuffer signedHashes;
- uint8_t *dataToSign;
- size_t dataToSignLen;
-
- signedHashes.data = 0;
- hashCtx.data = 0;
-
- clientRandom.data = ctx->clientRandom;
- clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
- serverRandom.data = ctx->serverRandom;
- serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
-
-
- if(isRsa) {
- /* skip this if signing with DSA */
- dataToSign = hashes;
- dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN;
- hashOut.data = hashes;
- hashOut.length = SSL_MD5_DIGEST_LEN;
-
- if ((err = ReadyHash(&SSLHashMD5, &hashCtx)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(&hashCtx, &clientRandom)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(&hashCtx, &serverRandom)) != 0)
- goto fail;
- if ((err = SSLHashMD5.update(&hashCtx, &signedParams)) != 0)
- goto fail;
- if ((err = SSLHashMD5.final(&hashCtx, &hashOut)) != 0)
- goto fail;
- }
- else {
- /* DSA, ECDSA - just use the SHA1 hash */
- dataToSign = &hashes[SSL_MD5_DIGEST_LEN];
- dataToSignLen = SSL_SHA1_DIGEST_LEN;
- }
-
- hashOut.data = hashes + SSL_MD5_DIGEST_LEN;
- hashOut.length = SSL_SHA1_DIGEST_LEN;
- if ((err = SSLFreeBuffer(&hashCtx)) != 0)
- goto fail;
-
- if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
- goto fail;
- if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
- goto fail;
-
- err = sslRawVerify(ctx,
- ctx->peerPubKey,
- dataToSign, /* plaintext */
- dataToSignLen, /* plaintext length */
- signature,
- signatureLen);
- if(err) {
- sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify "
- "returned %d\n", (int)err);
- goto fail;
- }
-
-fail:
- SSLFreeBuffer(&signedHashes);
- SSLFreeBuffer(&hashCtx);
- return err;
-
-}
-
-static OSStatus
-SSLVerifySignedServerKeyExchangeTls12(SSLContext *ctx, SSLSignatureAndHashAlgorithm sigAlg, SSLBuffer signedParams,
- uint8_t *signature, UInt16 signatureLen)
-{
- OSStatus err;
- SSLBuffer hashOut, hashCtx, clientRandom, serverRandom;
- uint8_t hashes[SSL_MAX_DIGEST_LEN];
- SSLBuffer signedHashes;
- uint8_t *dataToSign;
- size_t dataToSignLen;
- const HashReference *hashRef;
- SecAsn1AlgId algId;
-
- signedHashes.data = 0;
- hashCtx.data = 0;
-
- clientRandom.data = ctx->clientRandom;
- clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
- serverRandom.data = ctx->serverRandom;
- serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;
-
- switch (sigAlg.hash) {
- case SSL_HashAlgorithmSHA1:
- hashRef = &SSLHashSHA1;
- algId.algorithm = CSSMOID_SHA1WithRSA;
- break;
- case SSL_HashAlgorithmSHA256:
- hashRef = &SSLHashSHA256;
- algId.algorithm = CSSMOID_SHA256WithRSA;
- break;
- case SSL_HashAlgorithmSHA384:
- hashRef = &SSLHashSHA384;
- algId.algorithm = CSSMOID_SHA384WithRSA;
- break;
- default:
- sslErrorLog("SSLVerifySignedServerKeyExchangeTls12: unsupported hash %d\n", sigAlg.hash);
- return errSSLProtocol;
- }
-
-
- dataToSign = hashes;
- dataToSignLen = hashRef->digestSize;
- hashOut.data = hashes;
- hashOut.length = hashRef->digestSize;
-
- if ((err = ReadyHash(hashRef, &hashCtx)) != 0)
- goto fail;
- if ((err = hashRef->update(&hashCtx, &clientRandom)) != 0)
- goto fail;
- if ((err = hashRef->update(&hashCtx, &serverRandom)) != 0)
- goto fail;
- if ((err = hashRef->update(&hashCtx, &signedParams)) != 0)
- goto fail;
- if ((err = hashRef->final(&hashCtx, &hashOut)) != 0)
- goto fail;
-
- if(sigAlg.signature==SSL_SignatureAlgorithmRSA) {
- err = sslRsaVerify(ctx,
- ctx->peerPubKey,
- &algId,
- dataToSign,
- dataToSignLen,
- signature,
- signatureLen);
- } else {
- err = sslRawVerify(ctx,
- ctx->peerPubKey,
- dataToSign, /* plaintext */
- dataToSignLen, /* plaintext length */
- signature,
- signatureLen);
- }
-
- if(err) {
- sslErrorLog("SSLDecodeSignedServerKeyExchangeTls12: sslRawVerify "
- "returned %d\n", (int)err);
- goto fail;
- }
-
-fail:
- SSLFreeBuffer(&signedHashes);
- SSLFreeBuffer(&hashCtx);
- return err;
-
-}
-
-/*
- * Decode and verify a server key exchange message signed by server's
- * public key.
- */
-static OSStatus
-SSLDecodeSignedServerKeyExchange(SSLBuffer message, SSLContext *ctx)
-{
- OSStatus err;
- UInt16 modulusLen = 0, exponentLen = 0, signatureLen;
- uint8_t *modulus = NULL, *exponent = NULL, *signature;
- bool isRsa = true;
-
- assert(ctx->protocolSide == kSSLClientSide);
-
- if (message.length < 2) {
- sslErrorLog("SSLDecodeSignedServerKeyExchange: msg len error 1\n");
- return errSSLProtocol;
- }
-
- /* first extract the key-exchange-method-specific parameters */
- uint8_t *charPtr = message.data;
- uint8_t *endCp = charPtr + message.length;
- switch(ctx->selectedCipherSpecParams.keyExchangeMethod) {
- case SSL_RSA:
- case SSL_RSA_EXPORT:
- modulusLen = SSLDecodeInt(charPtr, 2);
- charPtr += 2;
- if((charPtr + modulusLen) > endCp) {
- sslErrorLog("signedServerKeyExchange: msg len error 2\n");
- return errSSLProtocol;
- }
- modulus = charPtr;
- charPtr += modulusLen;
-
- exponentLen = SSLDecodeInt(charPtr, 2);
- charPtr += 2;
- if((charPtr + exponentLen) > endCp) {
- sslErrorLog("signedServerKeyExchange: msg len error 3\n");
- return errSSLProtocol;
- }
- exponent = charPtr;
- charPtr += exponentLen;
- break;
-#if APPLE_DH
- case SSL_DHE_DSS:
- case SSL_DHE_DSS_EXPORT:
- isRsa = false;
- /* and fall through */
- case SSL_DHE_RSA:
- case SSL_DHE_RSA_EXPORT:
- err = SSLDecodeDHKeyParams(ctx, &charPtr, message.length);
- if(err) {
- return err;
- }
- break;
- #endif /* APPLE_DH */
-
- case SSL_ECDHE_ECDSA:
- isRsa = false;
- /* and fall through */
- case SSL_ECDHE_RSA:
- err = SSLDecodeECDHKeyParams(ctx, &charPtr, message.length);
- if(err) {
- return err;
- }
- break;
- default:
- assert(0);
- return errSSLInternal;
- }
-
- /* this is what's hashed */
- SSLBuffer signedParams;
- signedParams.data = message.data;
- signedParams.length = charPtr - message.data;
-
- SSLSignatureAndHashAlgorithm sigAlg;
-
- if (sslVersionIsLikeTls12(ctx)) {
- /* Parse the algorithm field added in TLS1.2 */
- if((charPtr + 2) > endCp) {
- sslErrorLog("signedServerKeyExchange: msg len error 499\n");
- return errSSLProtocol;
- }
- sigAlg.hash = *charPtr++;
- sigAlg.signature = *charPtr++;
- }
-
- signatureLen = SSLDecodeInt(charPtr, 2);
- charPtr += 2;
- if((charPtr + signatureLen) != endCp) {
- sslErrorLog("signedServerKeyExchange: msg len error 4\n");
- return errSSLProtocol;
- }
- signature = charPtr;
-
- if (sslVersionIsLikeTls12(ctx))
- {
- err = SSLVerifySignedServerKeyExchangeTls12(ctx, sigAlg, signedParams,
- signature, signatureLen);
- } else {
- err = SSLVerifySignedServerKeyExchange(ctx, isRsa, signedParams,
- signature, signatureLen);
- }
-
- if(err)
- goto fail;
-
- /* Signature matches; now replace server key with new key (RSA only) */
- switch(ctx->selectedCipherSpecParams.keyExchangeMethod) {
- case SSL_RSA:
- case SSL_RSA_EXPORT:
- {
- SSLBuffer modBuf;
- SSLBuffer expBuf;
-
- /* first free existing peerKey */
- sslFreePubKey(&ctx->peerPubKey); /* no KCItem */
-
- /* and cook up a new one from raw bits */
- modBuf.data = modulus;
- modBuf.length = modulusLen;
- expBuf.data = exponent;
- expBuf.length = exponentLen;
- err = sslGetPubKeyFromBits(ctx,
- &modBuf,
- &expBuf,
- &ctx->peerPubKey);
- break;
- }
- case SSL_DHE_RSA:
- case SSL_DHE_RSA_EXPORT:
- case SSL_DHE_DSS:
- case SSL_DHE_DSS_EXPORT:
- case SSL_ECDHE_ECDSA:
- case SSL_ECDHE_RSA:
- break; /* handled above */
- default:
- assert(0);
- }
-fail:
- return err;
-}
-
-static OSStatus
-SSLDecodeRSAKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
-{ OSStatus err;
- size_t outputLen, localKeyModulusLen;
- SSLProtocolVersion version;
- Boolean useEncryptKey = false;
- uint8_t *src = NULL;
- SSLPrivKey *keyRef = NULL;
-
- assert(ctx->protocolSide == kSSLServerSide);
- if (ctx->encryptPrivKeyRef) {
- useEncryptKey = true;
- }
- if (useEncryptKey) {
- keyRef = ctx->encryptPrivKeyRef;
- /* FIXME: when 3420180 is implemented, pick appropriate creds here */
- }
- else {
- keyRef = ctx->signingPrivKeyRef;
- /* FIXME: when 3420180 is implemented, pick appropriate creds here */
- }
-
- localKeyModulusLen = sslPrivKeyLengthInBytes(keyRef);
- if (localKeyModulusLen == 0) {
- sslErrorLog("SSLDecodeRSAKeyExchange: private key modulus is 0\n");
- return errSSLCrypto;
- }
-
- /*
- * We have to tolerate incoming key exchange msgs with and without the
- * two-byte "encrypted length" field.
- */
- if (keyExchange.length == localKeyModulusLen) {
- /* no length encoded */
- src = keyExchange.data;
- }
- else if((keyExchange.length == (localKeyModulusLen + 2)) &&
- (ctx->negProtocolVersion >= TLS_Version_1_0)) {
- /* TLS only - skip the length bytes */
- src = keyExchange.data + 2;
- }
- else {
- sslErrorLog("SSLDecodeRSAKeyExchange: length error (exp %u got %u)\n",
- (unsigned)localKeyModulusLen, (unsigned)keyExchange.length);
- return errSSLProtocol;
- }
- err = SSLAllocBuffer(&ctx->preMasterSecret, SSL_RSA_PREMASTER_SECRET_SIZE);
- if(err != 0) {
- return err;
- }
-
- /*
- * From this point on, to defend against the Bleichenbacher attack
- * and its Klima-Pokorny-Rosa variant, any errors we detect are *not*
- * reported to the caller or the peer. If we detect any error during
- * decryption (e.g., bad PKCS1 padding) or in the testing of the version
- * number in the premaster secret, we proceed by generating a random
- * premaster secret, with the correct version number, and tell our caller
- * that everything is fine. This session will fail as soon as the
- * finished messages are sent, since we will be using a bogus premaster
- * secret (and hence bogus session and MAC keys). Meanwhile we have
- * not provided any side channel information relating to the cause of
- * the failure.
- *
- * See http://eprint.iacr.org/2003/052/ for more info.
- */
- err = sslRsaDecrypt(ctx,
- keyRef,
-#if USE_CDSA_CRYPTO
- CSSM_PADDING_PKCS1,
-#else
- kSecPaddingPKCS1,
-#endif
- src,
- localKeyModulusLen, // ciphertext len
- ctx->preMasterSecret.data,
- SSL_RSA_PREMASTER_SECRET_SIZE, // plaintext buf available
- &outputLen);
-
- if(err != errSecSuccess) {
- /* possible Bleichenbacher attack */
- sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: RSA decrypt fail");
- }
- else if(outputLen != SSL_RSA_PREMASTER_SECRET_SIZE) {
- sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: premaster secret size error");
- err = errSSLProtocol; // not passed back to caller
- }
-
- if(err == errSecSuccess) {
- /*
- * Two legal values here - the one we actually negotiated (which is
- * technically incorrect but not uncommon), and the one the client
- * sent as its preferred version in the client hello msg.
- */
- version = (SSLProtocolVersion)SSLDecodeInt(ctx->preMasterSecret.data, 2);
- if((version != ctx->negProtocolVersion) &&
- (version != ctx->clientReqProtocol)) {
- /* possible Klima-Pokorny-Rosa attack */
- sslLogNegotiateDebug("SSLDecodeRSAKeyExchange: version error");
- err = errSSLProtocol;
- }
- }
- if(err != errSecSuccess) {
- /*
- * Obfuscate failures for defense against Bleichenbacher and
- * Klima-Pokorny-Rosa attacks.
- */
- SSLEncodeInt(ctx->preMasterSecret.data, ctx->negProtocolVersion, 2);
- SSLBuffer tmpBuf;
- tmpBuf.data = ctx->preMasterSecret.data + 2;
- tmpBuf.length = SSL_RSA_PREMASTER_SECRET_SIZE - 2;
- /* must ignore failures here */
- sslRand(&tmpBuf);
- }
-
- /* in any case, save premaster secret (good or bogus) and proceed */
- return errSecSuccess;
-}
-
-static OSStatus
-SSLEncodeRSAKeyExchange(SSLRecord *keyExchange, SSLContext *ctx)
-{ OSStatus err;
- size_t outputLen, peerKeyModulusLen;
- size_t bufLen;
- uint8_t *dst;
- bool encodeLen = false;
- uint8_t *p;
- int head;
- size_t msglen;
-
- assert(ctx->protocolSide == kSSLClientSide);
- if ((err = SSLEncodeRSAPremasterSecret(ctx)) != 0)
- return err;
-
- keyExchange->contentType = SSL_RecordTypeHandshake;
- assert(ctx->negProtocolVersion >= SSL_Version_3_0);
- keyExchange->protocolVersion = ctx->negProtocolVersion;
-
- peerKeyModulusLen = sslPubKeyLengthInBytes(ctx->peerPubKey);
- if (peerKeyModulusLen == 0) {
- sslErrorLog("SSLEncodeRSAKeyExchange: peer key modulus is 0\n");
- /* FIXME: we don't return an error here... is this condition ever expected? */
- }
-#if SSL_DEBUG
- sslDebugLog("SSLEncodeRSAKeyExchange: peer key modulus length = %lu\n", peerKeyModulusLen);
-#endif
- msglen = peerKeyModulusLen;
- #if RSA_CLIENT_KEY_ADD_LENGTH
- if(ctx->negProtocolVersion >= TLS_Version_1_0) {
- msglen += 2;
- encodeLen = true;
- }
- #endif
- head = SSLHandshakeHeaderSize(keyExchange);
- bufLen = msglen + head;
- if ((err = SSLAllocBuffer(&keyExchange->contents,
- bufLen)) != 0)
- {
- return err;
- }
- dst = keyExchange->contents.data + head;
- if(encodeLen) {
- dst += 2;
- }
-
- /* FIXME: can this line be removed? */
- p = keyExchange->contents.data;
-
- p = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, msglen);
-
- if(encodeLen) {
- /* the length of the encrypted pre_master_secret */
- SSLEncodeSize(keyExchange->contents.data + head,
- peerKeyModulusLen, 2);
- }
- err = sslRsaEncrypt(ctx,
- ctx->peerPubKey,
-#if USE_CDSA_CRYPTO
- CSSM_PADDING_PKCS1,
-#else
- kSecPaddingPKCS1,
-#endif
- ctx->preMasterSecret.data,
- SSL_RSA_PREMASTER_SECRET_SIZE,
- dst,
- peerKeyModulusLen,
- &outputLen);
- if(err) {
- sslErrorLog("SSLEncodeRSAKeyExchange: error %d\n", (int)err);
- return err;
- }
-
- assert(outputLen == (encodeLen ? msglen - 2 : msglen));
-
- return errSecSuccess;
-}
-
-
-#if APPLE_DH
-
-// MARK: -
-// MARK: Diffie-Hellman Key Exchange
-
-/*
- * Diffie-Hellman setup, server side. On successful return, the
- * following SSLContext members are valid:
- *
- * dhParamsPrime
- * dhParamsGenerator
- * dhPrivate
- * dhExchangePublic
- */
-static OSStatus
-SSLGenServerDHParamsAndKey(
- SSLContext *ctx)
-{
- OSStatus ortn;
- assert(ctx->protocolSide == kSSLServerSide);
-
-
- /*
- * Obtain D-H parameters if we don't have them.
- */
- if(ctx->dhParamsEncoded.data == NULL) {
- /* TODO: Pick appropriate group based on cipher suite */
- ccdh_const_gp_t gp = ccdh_gp_rfc5114_MODP_2048_256();
- cc_size n = ccdh_gp_n(gp);
- size_t s = ccdh_gp_prime_size(gp);
- uint8_t p[s];
- uint8_t g[s];
-
- ccn_write_uint(n, ccdh_gp_prime(gp), s, p);
- ccn_write_uint(n, ccdh_gp_g(gp), s, g);
-
- const SSLBuffer prime = {
- .data = p,
- .length = s,
- };
- const SSLBuffer generator = {
- .data = g,
- .length = s,
- };
-
- ortn=sslEncodeDhParams(&ctx->dhParamsEncoded, /* data mallocd and RETURNED PKCS-3 encoded */
- &prime, /* Wire format */
- &generator); /* Wire format */
-
- if(ortn)
- return ortn;
- }
-
-#if USE_CDSA_CRYPTO
- /* generate per-session D-H key pair */
- sslFreeKey(ctx->cspHand, &ctx->dhPrivate, NULL);
- SSLFreeBuffer(&ctx->dhExchangePublic);
- ctx->dhPrivate = (CSSM_KEY *)sslMalloc(sizeof(CSSM_KEY));
- CSSM_KEY pubKey;
- ortn = sslDhGenerateKeyPair(ctx,
- &ctx->dhParamsEncoded,
- ctx->dhParamsPrime.length * 8,
- &pubKey, ctx->dhPrivate);
- if(ortn) {
- return ortn;
- }
- CSSM_TO_SSLBUF(&pubKey.KeyData, &ctx->dhExchangePublic);
-#else
- if (!ctx->secDHContext) {
- ortn = sslDhCreateKey(ctx);
- if(ortn)
- return ortn;
- }
- return sslDhGenerateKeyPair(ctx);
-#endif
- return errSecSuccess;
-}
-
-/*
- * size of DH param and public key, in wire format
- */
-static size_t
-SSLEncodedDHKeyParamsLen(SSLContext *ctx)
-{
- SSLBuffer prime;
- SSLBuffer generator;
-
- sslDecodeDhParams(&ctx->dhParamsEncoded, &prime, &generator);
-
- return (2+prime.length+2+generator.length+2+ctx->dhExchangePublic.length);
-}
-
-/*
- * Encode DH params and public key, in wire format, in caller-supplied buffer.
- */
-static OSStatus
-SSLEncodeDHKeyParams(
- SSLContext *ctx,
- uint8_t *charPtr)
-{
- assert(ctx->protocolSide == kSSLServerSide);
- assert(ctx->dhParamsEncoded.data != NULL);
- assert(ctx->dhExchangePublic.data != NULL);
-
- SSLBuffer prime;
- SSLBuffer generator;
-
- sslDecodeDhParams(&ctx->dhParamsEncoded, &prime, &generator);
-
- charPtr = SSLEncodeInt(charPtr, prime.length, 2);
- memcpy(charPtr, prime.data, prime.length);
- charPtr += prime.length;
-
- charPtr = SSLEncodeInt(charPtr, generator.length, 2);
- memcpy(charPtr, generator.data,
- generator.length);
- charPtr += generator.length;
-
- /* TODO: hum.... sounds like this one should be in the SecDHContext */
- charPtr = SSLEncodeInt(charPtr, ctx->dhExchangePublic.length, 2);
- memcpy(charPtr, ctx->dhExchangePublic.data,
- ctx->dhExchangePublic.length);
-
- dumpBuf("server prime", &prime);
- dumpBuf("server generator", &generator);
- dumpBuf("server pub key", &ctx->dhExchangePublic);
-
- return errSecSuccess;
-}
-
-/*
- * Decode DH params and server public key.
- */
-static OSStatus
-SSLDecodeDHKeyParams(
- SSLContext *ctx,
- uint8_t **charPtr, // IN/OUT
- size_t length)
-{
- OSStatus err = errSecSuccess;
- SSLBuffer prime;
- SSLBuffer generator;
-
- assert(ctx->protocolSide == kSSLClientSide);
- uint8_t *endCp = *charPtr + length;
-
- /* Allow reuse via renegotiation */
- SSLFreeBuffer(&ctx->dhPeerPublic);
-
- /* Prime, with a two-byte length */
- UInt32 len = SSLDecodeInt(*charPtr, 2);
- (*charPtr) += 2;
- if((*charPtr + len) > endCp) {
- return errSSLProtocol;
- }
-
- prime.data = *charPtr;
- prime.length = len;
-
- (*charPtr) += len;
-
- /* Generator, with a two-byte length */
- len = SSLDecodeInt(*charPtr, 2);
- (*charPtr) += 2;
- if((*charPtr + len) > endCp) {
- return errSSLProtocol;
- }
-
- generator.data = *charPtr;
- generator.length = len;
-
- (*charPtr) += len;
-
- sslEncodeDhParams(&ctx->dhParamsEncoded, &prime, &generator);
-
- /* peer public key, with a two-byte length */
- len = SSLDecodeInt(*charPtr, 2);
- (*charPtr) += 2;
- err = SSLAllocBuffer(&ctx->dhPeerPublic, len);
- if(err) {
- return err;
- }
- memmove(ctx->dhPeerPublic.data, *charPtr, len);
- (*charPtr) += len;
-
- dumpBuf("client peer pub", &ctx->dhPeerPublic);
- // dumpBuf("client prime", &ctx->dhParamsPrime);
- // dumpBuf("client generator", &ctx->dhParamsGenerator);
-
- return err;
-}
-
-/*
- * Given the server's Diffie-Hellman parameters, generate our
- * own DH key pair, and perform key exchange using the server's
- * public key and our private key. The result is the premaster
- * secret.
- *
- * SSLContext members valid on entry:
- * dhParamsPrime
- * dhParamsGenerator
- * dhPeerPublic
- *
- * SSLContext members valid on successful return:
- * dhPrivate
- * dhExchangePublic
- * preMasterSecret
- */
-static OSStatus
-SSLGenClientDHKeyAndExchange(SSLContext *ctx)
-{
- OSStatus ortn;
-
-#if USE_CDSA_CRYPTO
-
- if((ctx->dhParamsPrime.data == NULL) ||
- (ctx->dhParamsGenerator.data == NULL) ||
- (ctx->dhPeerPublic.data == NULL)) {
- sslErrorLog("SSLGenClientDHKeyAndExchange: incomplete server params\n");
- return errSSLProtocol;
- }
-
- /* generate two keys */
- CSSM_KEY pubKey;
- ctx->dhPrivate = (CSSM_KEY *)sslMalloc(sizeof(CSSM_KEY));
- ortn = sslDhGenKeyPairClient(ctx,
- &ctx->dhParamsPrime,
- &ctx->dhParamsGenerator,
- &pubKey, ctx->dhPrivate);
- if(ortn) {
- sslFree(ctx->dhPrivate);
- ctx->dhPrivate = NULL;
- return ortn;
- }
-
- /* do the exchange, size of prime */
- ortn = sslDhKeyExchange(ctx, ctx->dhParamsPrime.length * 8,
- &ctx->preMasterSecret);
- if(ortn) {
- return ortn;
- }
- CSSM_TO_SSLBUF(&pubKey.KeyData, &ctx->dhExchangePublic);
-#else
- ortn=errSSLProtocol;
- require(ctx->dhParamsEncoded.data, out);
- require_noerr(ortn = sslDhCreateKey(ctx), out);
- require_noerr(ortn = sslDhGenerateKeyPair(ctx), out);
- require_noerr(ortn = sslDhKeyExchange(ctx), out);
-out:
-#endif
- return ortn;
-}
-
-
-static OSStatus
-SSLEncodeDHanonServerKeyExchange(SSLRecord *keyExch, SSLContext *ctx)
-{
- OSStatus ortn = errSecSuccess;
- int head;
-
- assert(ctx->negProtocolVersion >= SSL_Version_3_0);
- assert(ctx->protocolSide == kSSLServerSide);
-
- /*
- * Obtain D-H parameters (if we don't have them) and a key pair.
- */
- ortn = SSLGenServerDHParamsAndKey(ctx);
- if(ortn) {
- return ortn;
- }
-
- size_t length = SSLEncodedDHKeyParamsLen(ctx);
-
- keyExch->protocolVersion = ctx->negProtocolVersion;
- keyExch->contentType = SSL_RecordTypeHandshake;
- head = SSLHandshakeHeaderSize(keyExch);
- if ((ortn = SSLAllocBuffer(&keyExch->contents, length+head)))
- return ortn;
-
- uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExch, SSL_HdskServerKeyExchange, length);
-
- /* encode prime, generator, our public key */
- return SSLEncodeDHKeyParams(ctx, charPtr);
-}
-
-static OSStatus
-SSLDecodeDHanonServerKeyExchange(SSLBuffer message, SSLContext *ctx)
-{
- OSStatus err = errSecSuccess;
-
- assert(ctx->protocolSide == kSSLClientSide);
- if (message.length < 6) {
- sslErrorLog("SSLDecodeDHanonServerKeyExchange error: msg len %u\n",
- (unsigned)message.length);
- return errSSLProtocol;
- }
- uint8_t *charPtr = message.data;
- err = SSLDecodeDHKeyParams(ctx, &charPtr, message.length);
- if(err == errSecSuccess) {
- if((message.data + message.length) != charPtr) {
- err = errSSLProtocol;
- }
- }
- return err;
-}
-
-static OSStatus
-SSLDecodeDHClientKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
-{
- OSStatus ortn = errSecSuccess;
- unsigned int publicLen;
-
- assert(ctx->protocolSide == kSSLServerSide);
- if(ctx->dhParamsEncoded.data == NULL) {
- /* should never happen */
- assert(0);
- return errSSLInternal;
- }
-
- /* this message simply contains the client's public DH key */
- uint8_t *charPtr = keyExchange.data;
- publicLen = SSLDecodeInt(charPtr, 2);
- charPtr += 2;
- /* TODO : Check the len here ? Will fail in sslDhKeyExchange anyway */
- /*
- if((keyExchange.length != publicLen + 2) ||
- (publicLen > ctx->dhParamsPrime.length)) {
- return errSSLProtocol;
- }
- */
- SSLFreeBuffer(&ctx->dhPeerPublic); // allow reuse via renegotiation
- ortn = SSLAllocBuffer(&ctx->dhPeerPublic, publicLen);
- if(ortn) {
- return ortn;
- }
- memmove(ctx->dhPeerPublic.data, charPtr, publicLen);
-
- /* DH Key exchange, result --> premaster secret */
- SSLFreeBuffer(&ctx->preMasterSecret);
-#if USE_CDSA_CRYPTO
- ortn = sslDhKeyExchange(ctx, ctx->dhParamsPrime.length * 8,
- &ctx->preMasterSecret);
-#else
- ortn = sslDhKeyExchange(ctx);
-#endif
- dumpBuf("server peer pub", &ctx->dhPeerPublic);
- dumpBuf("server premaster", &ctx->preMasterSecret);
- return ortn;
-}
-
-static OSStatus
-SSLEncodeDHClientKeyExchange(SSLRecord *keyExchange, SSLContext *ctx)
-{ OSStatus err;
- size_t outputLen;
- int head;
-
- assert(ctx->protocolSide == kSSLClientSide);
- assert(ctx->negProtocolVersion >= SSL_Version_3_0);
-
- keyExchange->contentType = SSL_RecordTypeHandshake;
- keyExchange->protocolVersion = ctx->negProtocolVersion;
-
- if ((err = SSLGenClientDHKeyAndExchange(ctx)) != 0)
- return err;
-
- outputLen = ctx->dhExchangePublic.length + 2;
- head = SSLHandshakeHeaderSize(keyExchange);
- if ((err = SSLAllocBuffer(&keyExchange->contents,outputLen + head)))
- return err;
-
- uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, outputLen);
-
- charPtr = SSLEncodeSize(charPtr, ctx->dhExchangePublic.length, 2);
- memcpy(charPtr, ctx->dhExchangePublic.data, ctx->dhExchangePublic.length);
-
- dumpBuf("client pub key", &ctx->dhExchangePublic);
- dumpBuf("client premaster", &ctx->preMasterSecret);
-
- return errSecSuccess;
-}
-
-#endif /* APPLE_DH */
-
-// MARK: -
-// MARK: ECDSA Key Exchange
-
-/*
- * Given the server's ECDH curve params and public key, generate our
- * own ECDH key pair, and perform key exchange using the server's
- * public key and our private key. The result is the premaster
- * secret.
- *
- * SSLContext members valid on entry:
- * if keyExchangeMethod == SSL_ECDHE_ECDSA or SSL_ECDHE_RSA:
- * ecdhPeerPublic
- * ecdhPeerCurve
- * if keyExchangeMethod == SSL_ECDH_ECDSA or SSL_ECDH_RSA:
- * peerPubKey, from which we infer ecdhPeerCurve
- *
- * SSLContext members valid on successful return:
- * ecdhPrivate
- * ecdhExchangePublic
- * preMasterSecret
- */
-static OSStatus
-SSLGenClientECDHKeyAndExchange(SSLContext *ctx)
-{
- OSStatus ortn;
-
- assert(ctx->protocolSide == kSSLClientSide);
-
- switch(ctx->selectedCipherSpecParams.keyExchangeMethod) {
- case SSL_ECDHE_ECDSA:
- case SSL_ECDHE_RSA:
- /* Server sent us an ephemeral key with peer curve specified */
- if(ctx->ecdhPeerPublic.data == NULL) {
- sslErrorLog("SSLGenClientECDHKeyAndExchange: incomplete server params\n");
- return errSSLProtocol;
- }
- break;
- case SSL_ECDH_ECDSA:
- case SSL_ECDH_RSA:
- {
- /* No server key exchange; we have to get the curve from the key */
- if(ctx->peerPubKey == NULL) {
- sslErrorLog("SSLGenClientECDHKeyAndExchange: no peer key\n");
- return errSSLInternal;
- }
-
- /* The peer curve is in the key's CSSM_X509_ALGORITHM_IDENTIFIER... */
- ortn = sslEcdsaPeerCurve(ctx->peerPubKey, &ctx->ecdhPeerCurve);
- if(ortn) {
- return ortn;
- }
- sslEcdsaDebug("SSLGenClientECDHKeyAndExchange: derived peerCurve %u",
- (unsigned)ctx->ecdhPeerCurve);
- break;
- }
- default:
- /* shouldn't be here */
- assert(0);
- return errSSLInternal;
- }
-
- /* Generate our (ephemeral) pair, or extract it from our signing identity */
- if((ctx->negAuthType == SSLClientAuth_RSAFixedECDH) ||
- (ctx->negAuthType == SSLClientAuth_ECDSAFixedECDH)) {
- /*
- * Client auth with a fixed ECDH key in the cert. Convert private key
- * from SecKeyRef to CSSM format. We don't need ecdhExchangePublic
- * because the server gets that from our cert.
- */
- assert(ctx->signingPrivKeyRef != NULL);
-#if USE_CDSA_CRYPTO
- //assert(ctx->cspHand != 0);
- sslFreeKey(ctx->cspHand, &ctx->ecdhPrivate, NULL);
- SSLFreeBuffer(&ctx->ecdhExchangePublic);
- ortn = SecKeyGetCSSMKey(ctx->signingPrivKeyRef, (const CSSM_KEY **)&ctx->ecdhPrivate);
- if(ortn) {
- return ortn;
- }
- ortn = SecKeyGetCSPHandle(ctx->signingPrivKeyRef, &ctx->ecdhPrivCspHand);
- if(ortn) {
- sslErrorLog("SSLGenClientECDHKeyAndExchange: SecKeyGetCSPHandle err %d\n",
- (int)ortn);
- }
-#endif
- sslEcdsaDebug("+++ Extracted ECDH private key");
- }
- else {
- /* generate a new pair */
- ortn = sslEcdhGenerateKeyPair(ctx, ctx->ecdhPeerCurve);
- if(ortn) {
- return ortn;
- }
-#if USE_CDSA_CRYPTO
- sslEcdsaDebug("+++ Generated %u bit (%u byte) ECDH key pair",
- (unsigned)ctx->ecdhPrivate->KeyHeader.LogicalKeySizeInBits,
- (unsigned)((ctx->ecdhPrivate->KeyHeader.LogicalKeySizeInBits + 7) / 8));
-#endif
- }
-
-
- /* do the exchange --> premaster secret */
- ortn = sslEcdhKeyExchange(ctx, &ctx->preMasterSecret);
- if(ortn) {
- return ortn;
- }
- return errSecSuccess;
-}
-
-
-/*
- * Decode ECDH params and server public key.
- */
-static OSStatus
-SSLDecodeECDHKeyParams(
- SSLContext *ctx,
- uint8_t **charPtr, // IN/OUT
- size_t length)
-{
- OSStatus err = errSecSuccess;
-
- sslEcdsaDebug("+++ Decoding ECDH Server Key Exchange");
-
- assert(ctx->protocolSide == kSSLClientSide);
- uint8_t *endCp = *charPtr + length;
-
- /* Allow reuse via renegotiation */
- SSLFreeBuffer(&ctx->ecdhPeerPublic);
-
- /*** ECParameters - just a curveType and a named curve ***/
-
- /* 1-byte curveType, we only allow one type */
- uint8_t curveType = **charPtr;
- if(curveType != SSL_CurveTypeNamed) {
- sslEcdsaDebug("+++ SSLDecodeECDHKeyParams: Bad curveType (%u)\n", (unsigned)curveType);
- return errSSLProtocol;
- }
- (*charPtr)++;
- if(*charPtr > endCp) {
- return errSSLProtocol;
- }
-
- /* two-byte curve */
- ctx->ecdhPeerCurve = SSLDecodeInt(*charPtr, 2);
- (*charPtr) += 2;
- if(*charPtr > endCp) {
- return errSSLProtocol;
- }
- switch(ctx->ecdhPeerCurve) {
- case SSL_Curve_secp256r1:
- case SSL_Curve_secp384r1:
- case SSL_Curve_secp521r1:
- break;
- default:
- sslEcdsaDebug("+++ SSLDecodeECDHKeyParams: Bad curve (%u)\n",
- (unsigned)ctx->ecdhPeerCurve);
- return errSSLProtocol;
- }
-
- sslEcdsaDebug("+++ SSLDecodeECDHKeyParams: ecdhPeerCurve %u",
- (unsigned)ctx->ecdhPeerCurve);
-
- /*** peer public key as an ECPoint ***/
-
- /*
- * The spec says the the max length of an ECPoint is 255 bytes, limiting
- * this whole mechanism to a max modulus size of 1020 bits, which I find
- * hard to believe...
- */
- UInt32 len = SSLDecodeInt(*charPtr, 1);
- (*charPtr)++;
- if((*charPtr + len) > endCp) {
- return errSSLProtocol;
- }
- err = SSLAllocBuffer(&ctx->ecdhPeerPublic, len);
- if(err) {
- return err;
- }
- memmove(ctx->ecdhPeerPublic.data, *charPtr, len);
- (*charPtr) += len;
-
- dumpBuf("client peer pub", &ctx->ecdhPeerPublic);
-
- return err;
-}
-
-
-static OSStatus
-SSLEncodeECDHClientKeyExchange(SSLRecord *keyExchange, SSLContext *ctx)
-{ OSStatus err;
- size_t outputLen;
- int head;
-
- assert(ctx->protocolSide == kSSLClientSide);
- if ((err = SSLGenClientECDHKeyAndExchange(ctx)) != 0)
- return err;
-
- /*
- * Per RFC 4492 5.7, if we're doing ECDSA_fixed_ECDH or RSA_fixed_ECDH
- * client auth, we still send this message, but it's empty (because the
- * server gets our public key from our cert).
- */
- bool emptyMsg = false;
- switch(ctx->negAuthType) {
- case SSLClientAuth_RSAFixedECDH:
- case SSLClientAuth_ECDSAFixedECDH:
- emptyMsg = true;
- break;
- default:
- break;
- }
- if(emptyMsg) {
- outputLen = 0;
- }
- else {
- outputLen = ctx->ecdhExchangePublic.length + 1;
- }
-
- keyExchange->contentType = SSL_RecordTypeHandshake;
- assert(ctx->negProtocolVersion >= SSL_Version_3_0);
- keyExchange->protocolVersion = ctx->negProtocolVersion;
- head = SSLHandshakeHeaderSize(keyExchange);
- if ((err = SSLAllocBuffer(&keyExchange->contents,outputLen + head)))
- return err;
-
- uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, outputLen);
- if(emptyMsg) {
- sslEcdsaDebug("+++ Sending EMPTY ECDH Client Key Exchange");
- }
- else {
- /* just a 1-byte length here... */
- charPtr = SSLEncodeSize(charPtr, ctx->ecdhExchangePublic.length, 1);
- memcpy(charPtr, ctx->ecdhExchangePublic.data, ctx->ecdhExchangePublic.length);
- sslEcdsaDebug("+++ Encoded ECDH Client Key Exchange");
- }
-
- dumpBuf("client pub key", &ctx->ecdhExchangePublic);
- dumpBuf("client premaster", &ctx->preMasterSecret);
- return errSecSuccess;
-}
-
-
-
-static OSStatus
-SSLDecodePSKClientKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
-{
- OSStatus ortn = errSecSuccess;
- unsigned int identityLen;
-
- assert(ctx->protocolSide == kSSLServerSide);
-
- /* this message simply contains the client's PSK identity */
- uint8_t *charPtr = keyExchange.data;
- identityLen = SSLDecodeInt(charPtr, 2);
- charPtr += 2;
-
- SSLFreeBuffer(&ctx->pskIdentity); // allow reuse via renegotiation
- ortn = SSLAllocBuffer(&ctx->pskIdentity, identityLen);
- if(ortn) {
- return ortn;
- }
- memmove(ctx->pskIdentity.data, charPtr, identityLen);
-
- /* TODO: At this point we know the identity of the PSK client,
- we should break out of the handshake, so we can select the appropriate
- PreShared secret. As this stands, the preshared secret needs to be known
- before the handshake starts. */
-
- size_t n=ctx->pskSharedSecret.length;
-
- if(n==0) return errSSLBadConfiguration;
-
- if ((ortn = SSLAllocBuffer(&ctx->preMasterSecret, 2*(n+2))) != 0)
- return ortn;
-
- uint8_t *p=ctx->preMasterSecret.data;
-
- p = SSLEncodeInt(p, n, 2);
- memset(p, 0, n); p+=n;
- p = SSLEncodeInt(p, n, 2);
- memcpy(p, ctx->pskSharedSecret.data, n);
-
- dumpBuf("server premaster (PSK)", &ctx->preMasterSecret);
-
- return ortn;
-}
-
-
-static OSStatus
-SSLEncodePSKClientKeyExchange(SSLRecord *keyExchange, SSLContext *ctx)
-{
- OSStatus err;
- size_t outputLen;
- int head;
-
- assert(ctx->protocolSide == kSSLClientSide);
-
- outputLen = ctx->pskIdentity.length+2;
-
- keyExchange->contentType = SSL_RecordTypeHandshake;
- assert(ctx->negProtocolVersion >= SSL_Version_3_0);
- keyExchange->protocolVersion = ctx->negProtocolVersion;
- head = SSLHandshakeHeaderSize(keyExchange);
- if ((err = SSLAllocBuffer(&keyExchange->contents,outputLen + head)))
- return err;
-
- uint8_t *charPtr = SSLEncodeHandshakeHeader(ctx, keyExchange, SSL_HdskClientKeyExchange, outputLen);
-
- charPtr = SSLEncodeSize(charPtr, ctx->pskIdentity.length, 2);
- memcpy(charPtr, ctx->pskIdentity.data, ctx->pskIdentity.length);
-
-
- /* We better have a pskSharedSecret already */
- size_t n=ctx->pskSharedSecret.length;
-
- if(n==0) return errSSLBadConfiguration;
-
- if ((err = SSLAllocBuffer(&ctx->preMasterSecret, 2*(n+2))) != 0)
- return err;
-
- uint8_t *p=ctx->preMasterSecret.data;
-
- p = SSLEncodeInt(p, n, 2);
- memset(p, 0, n); p+=n;
- p = SSLEncodeInt(p, n, 2);
- memcpy(p, ctx->pskSharedSecret.data, n);
-
- dumpBuf("client premaster (PSK)", &ctx->preMasterSecret);
-
- return errSecSuccess;
-}
-
-
-// MARK: -
-// MARK: Public Functions
-OSStatus
-SSLEncodeServerKeyExchange(SSLRecord *keyExch, SSLContext *ctx)
-{ OSStatus err;
-
- switch (ctx->selectedCipherSpecParams.keyExchangeMethod)
- { case SSL_RSA:
- case SSL_RSA_EXPORT:
- #if APPLE_DH
- case SSL_DHE_RSA:
- case SSL_DHE_RSA_EXPORT:
- case SSL_DHE_DSS:
- case SSL_DHE_DSS_EXPORT:
- #endif /* APPLE_DH */
- if ((err = SSLEncodeSignedServerKeyExchange(keyExch, ctx)) != 0)
- return err;
- break;
- #if APPLE_DH
- case SSL_DH_anon:
- case SSL_DH_anon_EXPORT:
- if ((err = SSLEncodeDHanonServerKeyExchange(keyExch, ctx)) != 0)
- return err;
- break;
- #endif
- default:
- return errSecUnimplemented;
- }
-
- return errSecSuccess;
-}
-
-OSStatus
-SSLProcessServerKeyExchange(SSLBuffer message, SSLContext *ctx)
-{
- OSStatus err;
-
- switch (ctx->selectedCipherSpecParams.keyExchangeMethod) {
- case SSL_RSA:
- case SSL_RSA_EXPORT:
- #if APPLE_DH
- case SSL_DHE_RSA:
- case SSL_DHE_RSA_EXPORT:
- case SSL_DHE_DSS:
- case SSL_DHE_DSS_EXPORT:
- #endif
- case SSL_ECDHE_ECDSA:
- case SSL_ECDHE_RSA:
- err = SSLDecodeSignedServerKeyExchange(message, ctx);
- break;
- #if APPLE_DH
- case SSL_DH_anon:
- case SSL_DH_anon_EXPORT:
- err = SSLDecodeDHanonServerKeyExchange(message, ctx);
- break;
- #endif
- default:
- err = errSecUnimplemented;
- break;
- }
-
- return err;
-}
-
-OSStatus
-SSLEncodeKeyExchange(SSLRecord *keyExchange, SSLContext *ctx)
-{ OSStatus err;
-
- assert(ctx->protocolSide == kSSLClientSide);
-
- switch (ctx->selectedCipherSpecParams.keyExchangeMethod) {
- case SSL_RSA:
- case SSL_RSA_EXPORT:
- sslDebugLog("SSLEncodeKeyExchange: RSA method\n");
- err = SSLEncodeRSAKeyExchange(keyExchange, ctx);
- break;
-#if APPLE_DH
- case SSL_DHE_RSA:
- case SSL_DHE_RSA_EXPORT:
- case SSL_DHE_DSS:
- case SSL_DHE_DSS_EXPORT:
- case SSL_DH_anon:
- case SSL_DH_anon_EXPORT:
- sslDebugLog("SSLEncodeKeyExchange: DH method\n");
- err = SSLEncodeDHClientKeyExchange(keyExchange, ctx);
- break;
-#endif
- case SSL_ECDH_ECDSA:
- case SSL_ECDHE_ECDSA:
- case SSL_ECDH_RSA:
- case SSL_ECDHE_RSA:
- case SSL_ECDH_anon:
- sslDebugLog("SSLEncodeKeyExchange: ECDH method\n");
- err = SSLEncodeECDHClientKeyExchange(keyExchange, ctx);
- break;
- case TLS_PSK:
- err = SSLEncodePSKClientKeyExchange(keyExchange, ctx);
- break;
- default:
- sslErrorLog("SSLEncodeKeyExchange: unknown method (%d)\n",
- ctx->selectedCipherSpecParams.keyExchangeMethod);
- err = errSecUnimplemented;
- }
-
- return err;
-}
-
-OSStatus
-SSLProcessKeyExchange(SSLBuffer keyExchange, SSLContext *ctx)
-{ OSStatus err;
-
- switch (ctx->selectedCipherSpecParams.keyExchangeMethod)
- { case SSL_RSA:
- case SSL_RSA_EXPORT:
- if ((err = SSLDecodeRSAKeyExchange(keyExchange, ctx)) != 0)
- return err;
- break;
- #if APPLE_DH
- case SSL_DH_anon:
- case SSL_DHE_DSS:
- case SSL_DHE_DSS_EXPORT:
- case SSL_DHE_RSA:
- case SSL_DHE_RSA_EXPORT:
- case SSL_DH_anon_EXPORT:
- sslDebugLog("SSLProcessKeyExchange: processing DH key exchange (%d)\n",
- ctx->selectedCipherSpecParams.keyExchangeMethod);
- if ((err = SSLDecodeDHClientKeyExchange(keyExchange, ctx)) != 0)
- return err;
- break;
-#endif
- case TLS_PSK:
- if ((err = SSLDecodePSKClientKeyExchange(keyExchange, ctx)) != 0)
- return err;
- break;
- default:
- sslErrorLog("SSLProcessKeyExchange: unknown keyExchangeMethod (%d)\n",
- ctx->selectedCipherSpecParams.keyExchangeMethod);
- return errSecUnimplemented;
- }
-
- return errSecSuccess;
-}
-
-OSStatus
-SSLInitPendingCiphers(SSLContext *ctx)
-{ OSStatus err;
- SSLBuffer key;
- int keyDataLen;
-
- err = errSecSuccess;
- key.data = 0;
-
- keyDataLen = ctx->selectedCipherSpecParams.macSize +
- ctx->selectedCipherSpecParams.keySize +
- ctx->selectedCipherSpecParams.ivSize;
- keyDataLen *= 2; /* two of everything */
-
- if ((err = SSLAllocBuffer(&key, keyDataLen)))
- return err;
- assert(ctx->sslTslCalls != NULL);
- if ((err = ctx->sslTslCalls->generateKeyMaterial(key, ctx)) != 0)
- goto fail;
-
- if((err = ctx->recFuncs->initPendingCiphers(ctx->recCtx, ctx->selectedCipher, (ctx->protocolSide==kSSLServerSide), key)) != 0)
- goto fail;
-
- ctx->writePending_ready = 1;
- ctx->readPending_ready = 1;
-
-fail:
- SSLFreeBuffer(&key);
- return err;
-}
projects / apple / security.git / blobdiff